CVE-2026-34725
Received Received - Intake
Stored XSS in DbGate Enables Remote and Local Code Execution

Publication date: 2026-04-02

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34725
EUVD
EUVD-2026-18472
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dbgate dbgate From 7.0.0 (inc) to 7.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in DbGate allows arbitrary JavaScript execution in a victim's browser session and local code execution in the Electron desktop app. This can lead to token theft, session hijacking, and unauthorized privileged actions, which may result in unauthorized access to sensitive data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could lead to violations of data protection requirements mandated by these regulations.

Executive Summary

CVE-2026-34725 is a stored Cross-Site Scripting (XSS) vulnerability in DbGate versions 7.0.0 to before 7.1.5. It occurs because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization in the applicationIcon field.

In the web UI, this allows an attacker to execute arbitrary scripts in another user's browser session. In the Electron desktop app, due to insecure configuration (nodeIntegration: true and contextIsolation: false), this vulnerability escalates to local code execution, allowing the attacker to run arbitrary code on the victim's machine.

The vulnerability arises from the unsafe rendering path where SVG strings starting with <svg are injected directly into the DOM without sanitization, enabling malicious payloads embedded in SVG or HTML to execute.

Impact Analysis

This vulnerability can have severe impacts depending on the usage context of DbGate.

  • In the web application, it allows attackers to execute arbitrary JavaScript in the victim's browser, which can lead to token theft, session hijacking, and performing privileged actions on behalf of the user.
  • In the Electron desktop app, the vulnerability can escalate to local code execution due to unsafe Electron settings, allowing attackers to execute arbitrary code on the victim's machine with access to Node.js and Electron APIs.

Overall, this can compromise confidentiality, integrity, and availability of data and systems accessed through DbGate.

Detection Guidance

This vulnerability can be detected by inspecting the applicationIcon field in DbGate app definitions for malicious SVG or HTML content that includes script execution payloads. Since the vulnerability arises from attacker-controlled SVG icon strings rendered without sanitization, detection involves checking for SVG strings starting with <svg that contain suspicious JavaScript or event handlers.

Specifically, you can search for app definition JSON files on disk that contain the applicationIcon field with embedded SVG or HTML tags that include JavaScript event handlers such as onerror.

Example commands to detect suspicious payloads might include:

  • Using grep to find SVG tags with event handlers in app definition files: grep -r --include='*.json' '<svg' /path/to/dbgate/apps | grep -i 'onerror\|javascript'
  • Searching for applicationIcon fields containing suspicious HTML: grep -r --include='*.json' 'applicationIcon' /path/to/dbgate/apps | grep '<img\|<svg'

Additionally, monitoring web UI traffic for unexpected script execution or Electron app behavior anomalies may help detect exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade DbGate to version 7.1.5 or later, where the vulnerability has been patched by sanitizing SVG icon content using DOMPurify.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Audit and remove any suspicious or untrusted applicationIcon entries in app definitions that contain raw SVG or HTML.
  • Restrict permissions to modify or create app definitions to trusted users only.
  • Disable or restrict usage of the Electron desktop app until patched, as it allows local code execution due to insecure configuration.

Applying these steps reduces the risk of exploitation until the official patch can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart